Bug 652860 (CVE-2010-4167) - CVE-2010-4167 ImageMagick: configuration files read from $CWD may allow arbitrary code execution
Summary: CVE-2010-4167 ImageMagick: configuration files read from $CWD may allow arbit...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4167
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 653577 767142 796844 796845
Blocks: 742493
TreeView+ depends on / blocked
 
Reported: 2010-11-13 01:14 UTC by Vincent Danen
Modified: 2021-02-24 17:02 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 14:49:04 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0301 0 normal SHIPPED_LIVE Low: ImageMagick security and bug fix update 2012-02-21 07:24:31 UTC
Red Hat Product Errata RHSA-2012:0544 0 normal SHIPPED_LIVE Moderate: ImageMagick security update 2012-05-07 22:22:16 UTC

Description Vincent Danen 2010-11-13 01:14:50 UTC
A Debian bug report [1] indicated that ImageMagick would load configuration files from the current working directory, rather than just standard directories like ~/.magick/ or /usr/lib/ImageMagick-*/config/.  If a user were to run certain ImageMagick programs, like the convert utility, from untrusted directories it could allow for the execution of arbitrary code as the user running the program.

Upstream has corrected [2] this flaw is noted as being fixed in the 6.6.5-5 ChangeLog [3].

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601824
[2] http://trac.imagemagick.org/changeset?new=3022%40ImageMagick%2Ftrunk%2Fmagick%2Fconfigure.c&old=2002%40ImageMagick%2Ftrunk%2Fmagick%2Fconfigure.c
[3] http://trac.imagemagick.org/browser/ImageMagick/trunk/ChangeLog

Comment 1 Vincent Danen 2010-11-13 01:22:58 UTC
The Debian bug report has some sample files used to demonstrate the problem.  I've reproduced this on Fedora using those sample files, but not on RHEL4 or 5.  Looking at strace output from ImageMagick on RHEL5, it's definitely opening files in $CWD, but is not parsing these XML files (perhaps they are in a different format than the older ImageMagick expected or there is something else preventing the execution, I didn't spend much time poking at it).

open("/usr/share/ImageMagick-6.2.8/config/delegates.xml", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/usr/share/doc/ImageMagick-6.2.8/delegates.xml", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/usr/share/ImageMagick-6.2.8/delegates.xml", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/home/vdanen/.magick/delegates.xml", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("delegates.xml", O_RDONLY|O_LARGEFILE) = 3
_llseek(3, 0, [105], SEEK_END)          = 0


The upstream patch does apply, with fuzz, to RHEL5 at least.

Comment 2 Kurt Seifried 2010-11-13 06:52:12 UTC
The vulnerable code is in configure.c (line 722) in ImageMagick-6.2.8.0-4.el5_5.3.src.rpm, I would assume it's in the updates as well.

Comment 3 Vincent Danen 2010-11-15 17:49:04 UTC
This has been assigned the name CVE-2010-4167.

Comment 4 Vincent Danen 2010-11-15 17:53:12 UTC
Created ImageMagick tracking bugs for this issue

Affects: fedora-all [bug 653577]

Comment 6 Pavel Alexeev 2010-11-17 11:18:38 UTC
If it low impact and fixed upstream may it be closed as UPSTREAM?

And when I'll push next update it will fix it automatically.

Comment 7 Vincent Danen 2010-11-17 22:17:42 UTC
(In reply to comment #6)
> If it low impact and fixed upstream may it be closed as UPSTREAM?
> 
> And when I'll push next update it will fix it automatically.

You could do that for the Fedora tracker, but we'd prefer if the bug was actually closed when an update is pushed to Fedora.

As this also affects RHEL, and will not be fixed automatically with a Fedora update, this bug cannot be closed until it is addressed in RHEL.

Comment 8 Pavel Alexeev 2010-11-28 15:54:32 UTC
In rawhide new version 6.6.5.10 which shouldn't be affected.

Comment 9 Pavel Alexeev 2011-06-24 05:30:47 UTC
No answer. I Assume problem fixed.

Comment 10 Josh Bressers 2011-07-18 18:45:39 UTC
This bug should not be closed.

Comment 11 Pavel Alexeev 2011-07-31 20:05:21 UTC
Why?

Comment 12 Tomas Hoger 2011-08-01 06:59:11 UTC
There are affected ImageMagick versions in RHEL that are planned to be corrected in some future update (as was previously explained in comment #7).  Feel free to un-CC yourself if you only care about Fedora package, which you've dealt with already.  Thank you.

Comment 15 errata-xmlrpc 2012-02-21 03:09:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0301 https://rhn.redhat.com/errata/RHSA-2012-0301.html

Comment 18 errata-xmlrpc 2012-05-07 18:51:19 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0544 https://rhn.redhat.com/errata/RHSA-2012-0544.html

Comment 19 Vincent Danen 2015-08-22 14:49:50 UTC
Statement:

(none)


Note You need to log in before you can comment on or make changes to this bug.